Automatically respond to important Workbench alerts, speeding up response and minimizing the impact scope, by creating Automated Response Playbooks.
Automated Response Playbooks (formerly Automated Response) allow you to automate your
response to Workbench alerts by leveraging the Security
Playbooks app.
When a detection model triggers an alert on
highly suspiciousor
suspiciousobjects, the Automated Response Playbook can create response tasks and compile the results into a report sent to your security team.
The Automatic Investigation and Response system leverages Trend Micro Threat
Intelligence powered by Trend Micro Smart Protection Network to reassess highlighted
objects found in Workbench alerts, such as files, URLs, IP addresses, and domains.
The analysis measures the likelihood of a false positive during the reassessment.
If
the likelihood of a false positive is low, the object is labeled
highly suspicious. If the likelihood of a false positive is higher, the object is labeled
suspicious. The response system executes the playbook and creates response tasks on a per-object basis. If there are multiple highlighted objects in a single Workbench alert, the response system and playbook might create individual response tasks for each object that might execute simultaneously.
ImportantYou must have the XDR Threat Investigation entitlement enabled and the following
required data sources configured to create Automated Response Playbooks: XDR
Endpoint Sensor or XDR Email Sensor
|
Procedure
- Go to .
- On the Playbooks tab, choose .
- On the Playbook Settings panel, select the XDR detection type, specify a unique name for the playbook, and click Apply.
- On the Trigger Settings panel, select
Automatic or manual (executed from Workbench) or
Manual (executed from Workbench) for the trigger type
and click Apply.
-
Automatic or manual (executed from Workbench): Workbench alerts automatically trigger playbook execution. You can also manually trigger playbook execution from Workbench.Select Execute playbook automatically only during specified period and specify the days and time periods for automatic execution.
Note
You can specify a maximum of 10 sets of days and time periods in Trigger Settings. -
Manual (executed from Workbench): You need to manually trigger playbook execution from Workbench.
For more information about how to trigger playbook execution from Workbench, see All Alerts and Alerts (Workbench Insights) in the Workbench documentation. -
- On the Target Settings panel,
select and configure the Target for the playbook and
click Apply.
- In the Severity drop-down menu, select the severity level of Workbench alerts that require further investigation.
- If you want playbook actions to trigger only for Workbench alerts
associated with specific detection models, select Filter by
detection models.
-
Click Select Models.
-
Select the detection models by which to filter Workbench alerts.
Important
The severity of your selected models must match the severity of the target settings, otherwise the playbook might fail to run.Tip
You can use both predefined and custom detection models to filter Workbench alerts. Click Custom Models to select custom detection models. -
Click Move to Selected Detection Models.
-
Click Save.
-
- If you want to set conditions based on the risk rating of highlighted objects in the Workbench alert, select Filter by highlighted object risk.
- If you want the playbook to open a case for the Workbench alert that
meets the conditions, select Open a Workbench
case, assign a maximum of 50 owners to the alert, and
specify whether to automatically close the case when the playbook
executes successfully.
Note
This feature is not available in all regions.Important
Creating a case transfers all Workbench notes to the case. New notes can only be added to the case.Alerts already associated with a case in Workbench will not trigger a new case creation. Instead, the playbook will update the existing case with the execution status and execution results. The playbook will not assign new owners to the existing case that already has owners. - Click Apply.
- If you need to take actions when specific conditions are
met, configure the Condition node.
- Click the add node () on the right of the Target node and click Condition.
- Create a condition setting by specifying the
Parameter, Operator,
and Value.SettingDescriptionParameterSpecify one of the following options as the parameter:
-
Endpoint name
-
Endpoint type
-
Highlighted object risk
Note
This option is available only when you select Filter by highlighted object risk in the Target node. -
IP address
Important
This is a pre-release sub-feature and is not part of the existing features of an official commercial or general release. Please review the Pre-release sub-feature disclaimer before using the sub-feature. -
Operating system
-
Operating system
Operator-
IS: The condition is triggered if any of the values is matched
-
IS NOT: The condition is triggered if none of the values is matched
ValueSpecify the parameter value.The values for Highlighted object risk are described as follows:-
Highly suspicious: The likelihood of a highlighted object being false positive is low
-
Suspicious: The likelihood of a highlighted object being false positive is higher
-
Unrated: Analysis result other than Highly suspicious and Suspicious
For information about the values for IP address, see the alert details in the Workbench app. -
- Click Apply.
- If you need to add more than one parallel Condition node, click the add node () on the right of the Target node.
- If you need to configure action settings for the
Condition node, add an
Action node by clicking the add node () on the right.For details, see Step 7.
- If you need to configure else-if conditions or
else actions, add an Else-If Condition or
Else Action node by clicking the add node
() under the
Condition node.For details, see Step 9.
- Configure actions by adding an
Action node.
- Click the add node () on the right of the Condition node and click Action.
- On the Action Settings panel, select
Workbench alert and configure the automated
response actions taken on the
highly suspicious
,suspicious
and/orunrated
objects.Response actions require that you have configured the supporting services. For more information, see Response Actions.SettingDescriptionGeneral actions-
Add to Block List: Adds objects to the User-Defined Suspicious Objects List
Email actions-
None: Takes no action for email messages
-
Delete Message: Deletes target emails from detected mailboxes
-
Quarantine Message: Moves target emails to the quarantine folder
File actions-
Collect File: Compresses the file and sends the archive to the Response Management app
-
Submit for Sandbox Analysis: Sends the file to the Sandbox Analysis app for analysis in a virtual sandbox environment
Note
This action requires allocating credits and configuring the Sandbox Analysis app.
URL actions-
Submit for Sandbox Analysis: Sends the URL to the Sandbox Analysis app for analysis in a virtual sandbox environment
Note
This action requires allocating credits and configuring the Sandbox Analysis app.
Process actions-
Terminate Process: Terminates the "unrated" target process running on an endpoint
Important
This is a pre-release sub-feature and is not part of the existing features of an official commercial or general release. Please review the Pre-release sub-feature disclaimer before using the sub-feature.
User account actions-
None: Takes no action for user accounts
-
Disable User Account: Signs the user out of all active application and browser sessions of the user account. Users are prevented from signing in any new session.
-
Force Sign Out: Signs the user out of all active application and browser sessions of the user account. Users are not prevented from immediately signing back in the closed sessions or signing in new sessions.
-
Force Password Reset: Signs the user out of all active application and browser sessions, and forces the user to create a new password during the next sign-in attempt
Container actions-
None: Takes no action for containers
-
Isolate Container: Stops the spread of suspicious behavior within a container by isolating the containing prod from the environment
-
Terminate Container: Stops suspicious behavior of containers within a pod by terminating the pod
Cloud account actions-
Revoke Access Permission: Revoke access permissions of IAM users with potentially compromised AWS accounts
Important
This action is only available for AWS accounts with the Cloud Response for AWS feature enabled.
Endpoint actions-
Isolate Endpoint: Disconnects the target endpoint from the network, except for communication with the managing Trend Micro server product
-
Run Remote Custom Script: Connects to a monitored endpoint and executes a previously uploaded PowerShell or Bash script fileTo run a custom script, complete the following steps:
-
Select a script file type from the File type drop-down list.
-
Upload a script file from your local by clicking Upload File. Then select your script file from the File drop-down list.For the
Bash Script (.sh)
file type, specify the operating system before uploading your script file. -
Type the parameters if your script requires an additional input.
-
-
- Select whether to send a notification to request
manual approval to create response actions.
Important
Actions pending manual approval for over 24 hours expire and cannot be performed. - If you require manual approval, configure the
following settings.SettingDescriptionNotification method
-
Email: Sends an email notification to specified recipients
-
Webhook: Sends a notification to specified webhook channels
Subject prefixThe prefix that appears at the start of the notification subject lineRecipientsThe email addresses of recipientsThe field only appears if you select Email for Notification method.WebhookThe webhook channels to receive notificationsThe field only appears if you select Webhook for Notification method.Tip
To add a webhook connection, click Create channel in the drop-down list. -
- Click Apply.
- If you need to add more than one parallel action, use the add node () on the right of the Target or Condition node.
- Configure notification settings by adding the second
Action node.
- Click the add node () on the right of the first Action node and click Action.
- On the Action Settings panel, specify how to notify recipients of the playbook results.
- For email and webhook notifications, configure the
following settings.SettingDescriptionSubject prefixThe prefix that appears at the start of the notification subject lineRecipientsThe email addresses of recipientsThe field only appears if you select Email for Notification method.WebhookThe webhook channels to receive notificationsThe field only appears if you select Webhook for Notification method.
Tip
To add a webhook connection, click Create channel in the drop-down list. - For ServiceNow ticket notifications, configure the
following settings.SettingDescriptionTicket profileThe ServiceNow ticket profile to use
Tip
If you need to add a ticket profile, click Create ticket profile in the drop-down list.Ticket profile settingsThe ticket profile settings for the playbookSelecting a ticket profile automatically loads the settings. Changing the settings overrides the ticket profile for the playbook.-
Assignment group: The ServiceNow assignment group you want to assign the ticket to
-
Assigned to: The ServiceNow user you want to assign the ticket to
-
Short description: A short description of the ticket which displays in ServiceNow
-
- If you require manual approval for sending playbook results, follow
Step 7.d to configure the notification
settings.
Note
This setting is available only to ticket notification action. - Click Apply.
- Configure Else-If Conditions or
Else Actions if necessary.
- Click the add node () below the condition node and click Else-If Condition or Else Action.
- Configure a condition node by following Step 6, or configure an action node by following Step 7 or Step 8.
Note
-
The nodes that can be added by using an add node () vary depending on the preceding node. For example, an Action node can only be possibly followed by another Action node; a Condition node can be followed by an Action node or have an Else-If Condition or Else Action attached to it.
-
When a condition is false, the playbook performs the Else Action or checks if its Else-If Condition is met. If the Else-If Condition is met, the playbook continues to perform the corresponding Else Action.
-
Multiple Action nodes configured in a serial mode are taken sequentially.
- Enable the playbook by toggling the Enable control on.
- Click Save.The playbook appears on the Playbooks tab in the Security Playbooks app.